Solved

DCOM Hardening CVE-2021-26414


Userlevel 1
Badge +5

Has anyone inquired if Commvault will be affected by this once to security is fully put in place on March 2023?

icon

Best answer by DMCVault 5 July 2022, 14:53

View original

7 replies

Userlevel 7
Badge +23

@ShaneHicks , I’m not seeing anything in our docs or incidents.

I’ll check with @DMCVault who would know.

Userlevel 7
Badge +23

@ShaneHicks , I talked to @DMCVault who mentioned the fix for this is to apply Windows updates.

From MSFT:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414

I can’t find anything showing we are affected, though there’s a remediation available.

Userlevel 5
Badge +8

@ShaneHicks  we dont think this will have any effects on our software, but we will validate just to be sure.

Userlevel 1
Badge +5

Yes please do @DMCVault . We just want to make sure that in March 2023 when the component is not available anymore that Commvault will be ok.

I agree with that it probably will not affect CV but wanted to make sure.

Userlevel 5
Badge +8

@ShaneHicks I dug into it, and found that we had recently tested this MS fix, and confirmed no impact on Commvault.  Let us know if you have further questions.

Userlevel 1
Badge +5

Thank you @DMCVault for your help.

Badge

I recently had to disable the hardening in order to install CV agents onto a Hyper-V host from the CommServe. With hardening enabled on other hosts, I had to copy the packages to the host and run CV setup locally.


Not being able to remotely push out client installs from CV isn’t great. 

So I think there is an impact, though perhaps additional testing / understanding is required. 

 

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c


Personally, I”m going to engage my local CV team and log a case to investigate this further.

Reply